HIPAA Encryption: A Tale Of Two HIPAA Breaches

I find it fascinating that two different companies can have such disparate reactions to a PHI data breach that occurred under similar conditions. Consider two entries at phiprivacy.net, where computers were stolen, triggering a HIPAA breach (obviously, the use of managed HIPAA encryption software like AlertBoot was neglected; otherwise, there wouldn't be a HIPAA breach).

Self Regional Healthcare and Haley Chiropractic of Tacoma reported data breaches where laptops were stolen during a burglary of office premises. Haley Chiropractic announced that 6,000 patients were affected, three computers were stolen, and that it doesn't "believe there is a high risk of misuse of the information." How can Haley Chiropractic substantiate their conclusion? They can't. They have absolutely no data.

Self Regional Healthcare, on the other hand, reported that one laptop was stolen, reportedly less than 500 people were affected, and that it "must assume there is a possibility that someone may have accessed certain patients' protected health information," despite the fact that the thieves were apprehended and "claimed never to have accessed the laptop."

Low Risk = Encryption

You know how you know there is a low risk of data being accessed on a stolen computer? If you use encryption software to protect the data. Otherwise, making such a claim should be illegal because it only serves to confuse people. You could say it confuses the most vulnerable people, since skeptical people would ignore such a blatantly self-serving statement and do what it takes to ensure they're protected.

While I'm not sure what Haley Chiropractic is doing to prevent future recurrences, it turns out that Self Regional Healthcare has deployed encryption on laptops since the incident.

It's not surprising, when you consider how they've reacted to their data breach.

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading
provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing
support of the AlertBoot disk encryption managed service.
Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts
University in Medford, Massachusetts, U.S.A.